Brian DeHamer

cc @kommendorkapten @patflynn generating TypeScript types from the protobufs in https://github.com/sigstore/cosign/pull/2204

@feelepxyz thanks for working on this. I took what you did and refactored a bit: * Moved the script and Dockerfile into a new `hack` directory (I think this was...

Related to the `job_workflow_ref` and `workflow` claims in token issued by GitHub Actions . . . The `job_workflow_ref` claim provides the full path to the _called_ workflow: ``` slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/heads/main ```...

> Is there a way to get the analog of that `job_workflow_ref` with organization IDs, repo IDs, and digests? I don't know, but I'll try and track down the team...

@jamietanna I'm digging into this issue and considering a couple different solutions. I'd be curious to hear which of these best meets the need of your SBOM use cases ....

@haydentherapper > what if the package registry managed a signing identity and fetched a code-signing certificate that only includes its identity as an `email` or `username` certificate identity type? This...

This seems like a nice simplification, and I'm definitely in favor of that. This should have no impact on `sigstore-js` as it has never had support for detached SCTs. One...

As @haydentherapper already noted, sigstore-js is parsing the key ID from the signature and using that to identify the appropriate key. My vote is definitely for a VERY slow rollout...

I was just looking through the [implementation](https://github.com/sigstore/sigstore-js/blob/main/packages/verify/src/timestamp/checkpoint.ts#L91-L93) in sigstore-js trying to understand what may need to change. Currently, it grabs the first four bytes of the checkpoint signature and uses...

Sounds great, love it!